b"FEDERAL TRADE COMMISSION\n OFFICE OF INSPECTOR GENERAL\n\n\n\n\nSEMIANNUAL REPORT TO CONGRESS\n\n\n   April 1, 2006 - September 30, 2006\n\n\n\n\n               Report #35\n\x0c                                     UNITED STATES OF AMERICA\n                              FEDERAL TRADE COMMISSION\n                                       WASHINGTON, D.C. 20580\n\n\n\n\nOffice of Inspector General\n                                             October 20, 2006\n\n\n\nThe Honorable Deborah Majoras\nChairman\nFederal Trade Commission\n600 Pennsylvania Avenue, N.W.\nWashington, D.C. 20580\n\nDear Chairman Majoras:\n\n       The attached report covers the Office of Inspector General's (OIG) activities for the\nsecond half of fiscal year 2006 and is submitted pursuant to Section 5 of the Inspector General\nAct of 1978, as amended.\n\n        During the six-month reporting period ending September 30, 2006, the OIG issued an\naudit of the FTC\xe2\x80\x99s Implementation of the Federal Information Security Act for FY 2006. The\nOIG also issued two management advisories.\n\n       In addition, the OIG processed 52 consumer inquiries and complaints/allegations of\npossible wrongdoing during the period, opened three new investigations into wrongdoing, and\nclosed six investigations. The results of these closed investigations were reported to\nmanagement for ultimate disposition.\n\n       As in the past, management has been responsive in attempting to implement all OIG\nrecommendations. I appreciate management's support and I look forward to working with you in\nour ongoing efforts to promote economy and efficiency in agency programs.\n\n                                             Sincerely,\n\n\n\n                                             Howard L. Sribnick\n                                             Inspector General\n\x0c                                             INTRODUCTION\n\n        The Federal Trade Commission (FTC) seeks to assure that the nation\xe2\x80\x99s markets are\ncompetitive, efficient and free from undue restrictions. The FTC also seeks to improve the\noperation of the marketplace by combating unfair and deceptive practices, with emphasis on\nthose practices that might unreasonably restrict the free exercise of informed choice by\nconsumers. The FTC relies on economic analysis to support its law enforcement efforts and to\ncontribute to the economic policy deliberations of Congress, the Executive Branch and the\npublic.\n\n        To aid the FTC in accomplishing its consumer protection and antitrust missions, the\nOffice of Inspector General (OIG) was provided five work years and a budget of $917,500 for\nfiscal year 2006.\n\n\n                                                   AUDITS\n\nAR-06-73         Review of FTC Implementation of the Federal Information Security\n                 Management Act (FISMA)\n\n       The OIG completed a review of Federal Trade Commission Implementation of the\nFederal Information Security Management Act during fiscal year 2006.1\n\n       The OIG found that FTC\xe2\x80\x99s Office of Information and Technology Management (ITM)\ncontinues to make progress in developing a mature information security program and has\nimplemented or addressed OIG-identified security vulnerabilities discussed in previous\nindependent evaluation reports and other security reviews.\n\n       Notwithstanding the progress made by the FTC, the OIG identified weaknesses and\nvulnerabilities that merit management\xe2\x80\x99s attention. The more important findings include:\n\n        \xe2\x80\xa2        FTC\xe2\x80\x99s Disaster Recovery Plan (DRP) needs further development. The identified\n                 alternate sites at 601 New Jersey Avenue and the East Central Regional Office\n                 (ECRO) do not have sufficient space, power, or HVAC capability to function as a\n                 backup site for the FTC, if the main data centers were disabled. Additionally,\n                 there was no evidence that memoranda of understanding (MOU), service level\n                 agreements (SLA), or agreements with the General Services Agency (GSA) are in\n                 place to provide the extra resources needed at ECRO.\n\n\n\n\n        1\n                   As part of its review the OIG conducted an internal scan of the FTC network environment. The\nresults of the scan were reported to the agency under a separate non-public document.\n\n                                                       -1-\n\x0c       \xe2\x80\xa2       FTC has contracted with ICF Consulting (ICF) for the use of CommentworksSM\n               software to receive and process comments from the public on proposed regulatory\n               action. The FISMA review found that FTC managers responsible for\n               CommentWorksSM are not notified when FTC employees leave the organization\n               or are transferred within the organization and no longer need access to the system.\n               Additionally, the review discovered that there is no contingency plan for ICF or\n               CommentWorksSM in the event of a discontinuance of service.\n\n       \xe2\x80\xa2       Policies, procedures and related security documentation for the FTC\xe2\x80\x99s Internet\n               Lab either do not exist or are not documented.2 There are no documented\n               policies, procedures or forms for requesting, approving or creating/removing user\n               accounts for the Internet Lab. OIG was also advised that user ID\xe2\x80\x99s and passwords\n               are not required for users to log onto and access Internet Lab workstations. There\n               are no documented maintenance procedures. Backups are not conducted at this\n               time; however, raw data is archived.\n\n       \xe2\x80\xa2       The East Central Regional Office may take longer to recover from an incident\n               since they do not have a contingency plan. All regional offices rely on\n               Headquarters for contingency planning and disaster recovery. The FTC DRP and\n               Continuity of Government kit do not address recovery of regional offices.\n\n\n                           MANAGEMENT ADVISORIES\n\nMA-06-12       Vulnerabilities Pertaining to Oversight of Receiver\n\n        The OIG completed analysis of FTC=s practices and procedures for recommending and\nmonitoring receivers appointed in consumer fraud cases. The OIG found that there was no\ncentralized repository for information regarding the qualifications of potential receivers, there\nwas no procedure in place to assure that potential receivers had not in the past been disciplined\nin connection with the performance of their fiduciary obligations, and that monitoring of\nreceivers\xe2\x80\x99 performance was left to the court (which, in many cases, did not enforce reporting\nrequirements included in the order establishing the receivership). The OIG recommended that\nthe agency centralize the maintenance of information gathered on potential receivers, require that\npotential receivers attest that they had not been the subject of prior disciplinary action, and\nimplement procedures to allow the agency to more closely monitor the work of receivers.\nManagement has agreed with the recommendations included in this advisory and is in the\nprocess of taking actions to complete implementation.\n\n\n\nMA-06-14       Improved Oversight of FTC Travel Card Program\n\n       2\n              The Internet Lab is an internal bank of computers that are not connected to the\nagency\xe2\x80\x99s network and whose gateway to the internet cannot be traced back to the FTC\xe2\x80\x99s IP\naddress. The Lab is used by agency staff to conduct law enforcement investigations.\n                                               -2-\n\x0c        The OIG completed an examination of controls relating to FTC travel credit card\nprogram. The OIG found a number of areas of employee abuse of the travel credit card program\nincluding charging personal expenses not related to government travel, taking cash advances for\npersonal use and not paying off the balance owed on the credit card in a timely manner. The\nOIG also found that the agency was usually unaware of employee misuse of travel credit cards\nuntil notified by the card issuer that the employee\xe2\x80\x99s charge privileges were about to be\nsuspended or cancelled. The OIG recommended a number of improvements to management\ncontrols over this program. In response to these recommendations, management undertook\naction including: routine screening of employee charges on FTC issued travel credit cards;\nrequiring that holders of travel credit cards sign a notice and attestation demonstrating that they\nare aware that charges may only be made for approved purchases while on official travel and that\nbalances owed must be paid in a timely manner and the hiring of a new manager to monitor the\nprogram. In the view of the OIG, these actions will significantly improve the integrity of this\nprogram.\n\n\n                         PLANNED AUDITS AND REVIEWS\n\nAudit of the FTC\xe2\x80\x99s Financial Statements for Fiscal Year 2006\n\n        The purpose of the audit is to express an opinion on the financial statements of the\nFederal Trade Commission for the fiscal year ending September 30, 2006. The principal\nstatements to be audited include the (a) Balance Sheet; (b) Statement of Net Cost; (c) Statement\nof Changes in Net Position; (d) Statement of Budgetary Resources; (e) Statement of Financing;\n(f) Statement of Custodial Activity and notes to the financial statements. The OIG will also test\nthe internal controls associated with the movement of transactions through the FTC\xe2\x80\x99s financial\nsystem and assess compliance with selected laws and regulations.\n\n       The OIG is using guidance contained in OMB Bulletin No. 01-02, Audit Requirements\nfor Federal Financial Statements, in performing this audit. The audited financial statements are\nrequired to be included in the financial section of the agency\xe2\x80\x99s Performance and Accountability\nReport to be issued on or before November 15, 2006.\n\nReview of the Federal Trade Commission Purchase Card Program\n\n        The objective of this audit will be to assess internal controls over the government\npurchase card program. Specific audit objectives will be to (i) document controls; (ii) determine\nthe functioning of processes and procedures; and (iii) assess areas that could be strengthened to\nbetter ensure that the goals of the program are achieved.\n\nAudit of the Operations of the Redress Office of the Bureau of Consumer Protection\n\n        The scope of the audit includes how the program is managed, how well tracking and\nreporting responsibility is performed, the status of implementation of OIG recommendations\nregarding the appointment of receivers and tests of internal controls.\n\n                                               -3-\n\x0cReview of the Consumer Response Center\n\n        The scope of the review includes how CRC classifies complaints and inquiries for\nassistance, how responsive the CRC is to meeting consumer complaints including the accuracy\nof recording information into the database , how \xe2\x80\x9cuser friendly\xe2\x80\x9d is the CRC reporting system and\nhow well personally identifiable information is protected.\n\n\n                               INVESTIGATIVE ACTIVITIES\n\n        The Inspector General is authorized by the IG Act to receive and investigate allegations\nof fraud, waste and abuse occurring within FTC programs and operations. Matters of possible\nwrongdoing are referred to the OIG in the form of allegations or complaints from a variety of\nsources, including FTC employees, other government agencies and the general public.\n\n         Reported incidents of possible fraud, waste and abuse can give rise to administrative,\ncivil or criminal investigations. OIG investigations are also initiated when there is an indication\nthat firms or individuals are involved in activities intended to improperly affect the outcome of\nparticular agency enforcement actions. Because this kind of wrongdoing strikes at the integrity\nof the FTC's consumer protection and antitrust law enforcement missions, the OIG places a high\npriority on these investigations.\n\n        In conducting criminal investigations during the past several years, the OIG has sought\nassistance from, and worked jointly with, other law enforcement agencies, including other\nOIG\xe2\x80\x99s, the Federal Bureau of Investigation, U.S. Postal Inspection Service, U.S. Secret Service,\nU.S. Marshal\xe2\x80\x99s Service, Internal Revenue Service, Capitol Police, Federal Protective Service as\nwell as state agencies and local police departments.\n\nInvestigative Summary\n\n        During this reporting period, the OIG received 52 consumer and other inquiries and\nreports of possible wrongdoing. Of the 52 complaints, 21 involved issues that fall under the\njurisdiction of FTC program components (identity theft, credit repair, etc.). Consequently, the\nOIG referred these matters to the appropriate FTC component for disposition.\n\n        Of the remaining complaints, the OIG opened 3 new investigations. The OIG offered\nsome assistance to other OIG\xe2\x80\x99s or law enforcement organizations in conducting ongoing\ninvestigations respecting 3 inquiries. Another five complaints remained ongoing at the end of\nthe reporting period. Finally, the OIG closed the 20 remaining complaints without any further\naction.\n\n\n\n\n                                               -4-\n\x0c       Following is a summary of the OIG's investigative activities for the six-month period\nending March 31, 2006:\n\n                            Cases pending as of 3/31/06        3\n                            PLUS: New cases                    3\n\n                            LESS: Cases closed                (6)\n\n                            Cases pending as of 9/30/06        0\n\nInvestigations Closed\n\n       The OIG closed the following six investigations during this reporting period:\n\n        The OIG closed a file, opened during a prior reporting period, involving misuse of a\nGovernment-issued travel card. The investigation stemmed from the agency\xe2\x80\x99s ongoing\nmonitoring of employee use of Government-issued credit cards, as previously reported. The\ninvestigative referral to agency management detailed personal travel card transactions totaling\nthousands of dollars and spanning more than a year. The matter was referred to management and\ndisciplinary action is pending.\n\n        The OIG continued investigative work on two computer misuse matters opened during a\nprior reporting period and opened a new computer misuse investigation. Investigative work on\nall three matters was completed during this reporting period and the investigative files were\nclosed.\n\n        The first computer misuse investigation arose from the agency\xe2\x80\x99s ongoing monitoring of\nemployee usage of the internet. The referral alleged that an employee in the agency\xe2\x80\x99s\ninformation technology program office allegedly installed a software program from an internet\nwebsite that enables users to downloaded illegal software license keys (i.e., numerical codes that\nallow use of software applications without proper authorization from the software\nmanufacturers). Forensic analysis revealed that the employee had previously installed this\nunauthorized program from an internet website and downloaded illegal software license keys\nonto his computer. Additional unauthorized software programs were found on his Government\ncomputer. We referred the investigative findings to management and disciplinary action is\ncurrently pending.\n\n        The second computer misuse investigation involved allegations that an agency attorney\nhad downloaded pornographic images in violation of agency policy. Management referred the\nmatter to this office because the downloaded images may have been in violation of criminal\nstatute. The attorney had been the subject of a prior OIG investigation in 2004 and management\nwas alerted that the problem may be ongoing when the employee allegedly used the agency\xe2\x80\x99s\ncomputer printer to print a pornographic image. Management authorized a forensic analysis of\nthe employee\xe2\x80\x99s computer that revealed the presence of additional pornographic images that were\nnot present on his computer when it was analyzed as part of the earlier OIG investigation.\nDisciplinary action is currently pending.\n\n                                               -5-\n\x0c        The third computer misuse investigation focused on allegations that an agency attorney\nwas misusing Government computers to view pornographic images. Because management\nobtained evidence that criminal statutes could be implicated, the OIG was advised concerning\nthe matter. Our investigation revealed that the employee had a history of the alleged misuse and\nthat he was using computers that were not specifically assigned to him to view graphic images in\nviolation of agency policy. There was also evidence that he left the office during scheduled\nwork hours to meet individuals with whom his initial contact was made online. During the\npendency of the OIG investigation, the employee voluntarily retired from federal service.\n\n        Another investigation was in response to the theft of a government laptop from a locked\nvehicle while the attorney responsible for the laptop was on official travel. The laptop contained\npersonally identifiable information (i.e., g names, addresses, Social Security numbers, dates of\nbirth, drivers license numbers, voter registration information and in some instances financial\naccount numbers) gathered in law enforcement investigations for approximately 110 individuals.\nThese individuals were defendants in FTC cases, relatives of FTC defendants, individuals\nassociated with FTC defendants or individuals whose names are similar to FTC defendants. The\nagency promptly notified the affected individuals that their personal information was\ncompromised and provided information on the steps that the individuals should consider taking\nto limit their risk of identity theft. The agency also offered each affected individual one year of\nfree credit monitoring. The OIG investigation into the theft revealed that the attorney\nresponsible for the laptop failed to adhere to her supervisor\xe2\x80\x99s explicit instruction to remove all\npersonally identifiable information from her laptop prior to business travel, which left the\npersonally identifiable information contained on the stolen laptop vulnerable to unauthorized\ndisclosure.\n        The FTC has no reason to believe the information on the laptops, as opposed to the\nlaptops themselves, was the target of the theft. Our investigation also revealed that the\nattorney\xe2\x80\x99s organization failed to follow agency procedures regarding the disposition of the\nemployee\xe2\x80\x99s old computer that had been replaced. The OIG referred the matter to management\nfor further action.\n        The sixth investigation closed during this reporting period involved an allegation that an\nagency employee physically accosted and behaved in an unprofessional manner toward an\nindividual who attended an FTC-sponsored industry conference. The employee, an agency\ninvestigator, attended the conference and had been assigned many logistical and organizational\nresponsibilities relating to the conference. The complaint to the OIG alleged that, on two\noccasions, the employee physically restrained an individual representing an industry consumer\nadvocacy group that has been critical of the FTC\xe2\x80\x99s enforcement of regulations governing the\nindustry. The agency employee also allegedly informed the conference attendee that he would\nhave to leave the conference because he had not preregistered for the event. The OIG obtained\nstatements from three separate eyewitnesses to the alleged incidents and presented the employee\nwith the evidence. The employee denied that any of the alleged incidents occurred as described\nby the eyewitnesses and complainant. We referred our conclusion that the employee had\nmistreated the conference attendee to management for appropriate action.\n\n\n\n\n                                               -6-\n\x0cMatters Referred for Prosecution\n\n        During this reporting period the OIG referred no new cases to the Department of Justice\nfor prosecution.\n\nSignificant Management Decisions\n\n        Section 5(a)(12) of the Inspector General Act requires that if the IG disagrees with any\nsignificant management decision, such disagreement must be reported in the semiannual report.\nFurther, Section 5(a)(11) of the Act requires that any decision by management to change its\nresponse to a significant resolved audit finding must also be disclosed in the semiannual report.\nFor this reporting period there were no significant final management decisions made on which\nthe IG disagreed and management did not revise any earlier decision on an OIG audit\nrecommendation.\n\nAccess to Information\n\n        The IG is to be provided with ready access to all agency records, information, or\nassistance when conducting an investigation or audit. Section 6(b)(2) of the IG Act requires the\nIG to report to the agency head, without delay, if the IG believes that access to required\ninformation, records or assistance has been unreasonably refused, or otherwise has not been\nprovided. A summary of each report submitted to the agency head in compliance with Section\n6(b)(2) must be provided in the semiannual report in accordance with Section 5(a)(5) of the Act.\n\n        During this reporting period, the OIG did not encounter any problems in obtaining\nassistance or access to agency records. Consequently, no report was issued by the IG to the\nagency head in accordance with Section 6(b)(2) of the IG Act.\n\nAudit Resolution\n\n        As of the end of this reporting period, all OIG audit recommendations for reports issued\nin prior periods have been resolved. That is, management and the OIG have reached agreement\non what actions need to be taken. In addition, management has taken action to implement most\nof OIG\xe2\x80\x99s outstanding recommendations. The OIG is awaiting final action by the Redress\nAdministration Office of the Bureau of Consumer Protections regarding automated tracking of\nredress contractor performance and the centralization of information regarding potential\nreceivers.\n\nReview of Legislation\n\n        Section 4(a)(2) of the IG Act authorizes the IG to review and comment on proposed\nlegislation or regulations relating to the agency or, upon request, affecting the operations of the\nOIG. During this reporting period, the OIG reviewed no legislation.\n\n\n\nContacting the Office of Inspector General\n                                                -7-\n\x0c        Employees and the public are encouraged to contact the OIG regarding any incidents of\npossible fraud, waste, or abuse occurring within FTC programs and operations. The OIG\ntelephone number is (202) 326-2800. To report suspected wrongdoing, employees may also call\nthe OIG's investigator directly on (202) 326-2618. A confidential or anonymous message can be\nleft 24 hours a day. Complaints or allegations of fraud, waste or abuse can also be emailed\ndirectly to chogue@ftc.gov. OIG mail should be addressed to:\n\n                                     Federal Trade Commission\n                                     Office of Inspector General\n                                     Room NJ-1110\n                                     600 Pennsylvania Avenue, NW\n                                     Washington, D.C. 20580\n\n        OIG reports can be obtained directly from the internet at: www.ftc.gov/oig. A visitor to\nthe OIG home page can download recent OIG semiannual reports to Congress, the FY 1998 -\n2005 financial statement audits, and other program and performance audits issued beginning in\nFY 1999. A list of audit reports issued prior to FY 1999 can also be ordered via an e-mail link to\nthe OIG. In addition to this information resource about the OIG, visitors are also provided a link\nto other federal organizations and Office of Inspectors General.\n\nInternet Access\n\n        The OIG can be accessed via the world wide web at: http://www.ftc.gov/oig. A visitor to\nthe OIG home page can download recent OIG semiannual reports to Congress, the FY 1998 -\n2005 financial statement audits and other program and performance audits issued beginning in FY\n1999. A list of audit reports issued prior to FY 1999 can also be ordered via an e-mail link to the\nOIG. In addition to this information resource about the OIG, visitors are also provided a link to\nother federal organizations and office of inspectors general.\n\n\n\n\n                                           TABLE I\n                                               -8-\n\x0c                      SUMMARY OF INSPECTOR GENERAL\n                         REPORTING REQUIREMENTS\n\n   IG Act\n Reference                      Reporting Requirement                            Page(s)\n\nSection 4(a)(2)       Review of legislation and regulations                         7\n\nSection 5(a)(l) Significant problems, abuses and deficiencies              1-3\n\nSection 5(a)(2)       Recommendations with respect to significant\n                      problems, abuses and deficiencies                             1-3\n\nSection 5(a)(3)       Prior significant recommendations on which\n                      corrective actions have not been made                         7\n\nSection 5(a)(4)       Matters referred to prosecutive authorities                   7\n\nSection 5(a)(5)       Summary of instances where information was refused            7\n\nSection 5(a)(6)       List of audit reports by subject matter, showing dollar\n                      value of questioned costs and funds put to better use 11\n\nSection 5(a)(7)       Summary of each particularly significant report               1-3\n\nSection 5(a)(8)       Statistical tables showing number of reports and\n                      dollar value of questioned costs                              10\n\nSection 5(a)(9)       Statistical tables showing number of reports and dollar\n                      value of recommendations that funds be put to better use      10\n\nSection 5(a)(10)      Summary of each audit issued before this reporting\n                      period for which no management decision was made\n                      by the end of the reporting period                            7\n\nSection 5(a)(11)      Significant revised management decisions                      7\n\nSection 5(a)(12)      Significant management decisions with which\n                      the inspector general disagrees                               7\n\n\n\n\n                                          TABLE II\n                                               -9-\n\x0c                  INSPECTOR GENERAL ISSUED REPORTS\n                       WITH QUESTIONED COSTS\n\n\n                                                Number        Dollar Value\n\n                                                         Questioned   Unsupported\n                                                           Costs        Costs\n\n\n\n\nA.   For which no management decision has\n     been made by the commencement of the\n     reporting period                                0        0        (     0   ]\n\nB.   Which were issued during the reporting\n     period                                          0        0        (     0   ]\n\n     Subtotals (A + B)                               0        0        (     0   ]\n\nC.   For which a management decision was\n     made during the reporting period                0        0        (     0   ]\n\n     (I) dollar value of disallowed costs            0        0        (     0   ]\n\n     (ii) dollar value of cost not disallowed        0        0        (     0   ]\n\nD.   For which no management decision was\n     made by the end of the reporting period         0        0        (     0   ]\n\n\n     Reports for which no management\n     decision was made within six months of\n     issuance                                        0        0        (     0   ]\n\n\n\n\n                                        TABLE III\n\n                                            - 10 -\n\x0c         INSPECTOR GENERAL ISSUED REPORTS\nWITH RECOMMENDATIONS THAT FUNDS BE PUT TO BETTER USE\n\n                                                       Number   Dollar Value\nA.   For which no management decision has been made\n     by the commencement of the reporting period          0          0\n\n\nB    Which were issued during this reporting period       0          0\n\n\nC.   For which a management decision was made during\n     the reporting period                                 0          0\n     (i) dollar value of recommendations that were\n     agreed to by management                              0          0\n     - based on proposed management action                0          0\n     - based on proposed legislative action               0          0\n     (ii) dollar value of recommendations that were\n     not agreed to by management                          0          0\n\n\nD.   For which no management decision has been made\n     by the end of the reporting period                   0          0\n     Reports for which no management decision was\n     made within six months of issuance                   0          0\n\n\n\n\n                                           - 11 -\n\x0c"